An evolving threat landscape means the original 2015 guidance is in need of an update…
An Article Review.
The National Institute of Standards and Technology (NIST) is considering an update to its 2015 Special Publication 800-171, which contains cybersecurity controls that have been widely adopted across both the public and private sectors.
SP 800-171, also known as “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” sets forth a number of technical, physical and administrative controls and best practices for safeguarding data, and while their guidance is not binding on the private sector, it has been incorporated into many organizations’ policies and procedures. Additionally, the Federal Government has used SP 800-171 as the basis for some of its own processes.
While the original guidance remains valid, the evolving threat landscape in the years since its 2015 publication calls for revisions and additions, which NIST is attempting to include in its update. Specifically, the new guidance will address incident response in greater detail, including more emphasis on tabletop testing, checklists and other user training.
With studies suggesting as many as 95 percent of cybersecurity issues are related to human error, the focus on training and incident response is welcome, as the human factor is one that can sometimes be overlooked in favor of technical solutions. Despite the promise seen in AI and other technologies, humans are still the most important aspect of cybersecurity, and the new NIST guidance should reflect that.
At the present time there is no concrete date for the implementation of this new guidance, which is currently on its third revision. The public comment period will run through July 14 of this year, with the finalized guidance coming some time after that. We will keep you informed on this new guidance, whenever it does become available.
Original article by John Butler and Steve Stransky, writing for Lawfare.
This Article Review was written by a Cyberpoet!